Detecting data exfiltration as the data exfiltration occurs or after the data exfiltration occurs

ABSTRACT

A device may identify exfiltration information to be used to detect data exfiltration. The exfiltration information may be associated with a file being tested to determine whether the file exfiltrates data. The exfiltration information may include a resource identifier that identifies a resource to be used to detect the data exfiltration. The device may determine that the resource, to be used to detect the data exfiltration, has been accessed. The device may identify, based on determining that the resource has been accessed, the file associated with the exfiltration information. The device may perform an action, associated with the file, to counteract the data exfiltration based on determining that the resource has been accessed and based on identifying the file.

BACKGROUND

Data exfiltration is the unauthorized copying, transfer, or retrieval ofdata from a computer or server. Data exfiltration is a maliciousactivity performed through various different techniques, typically bycybercriminals over the Internet or another network. Data exfiltrationmay also be referred to as data extrusion, data exportation, or datatheft.

SUMMARY

According to some possible implementations, a device may identifyexfiltration information to be used to detect data exfiltration. Theexfiltration information may be associated with a file being tested todetermine whether the file exfiltrates data. The exfiltrationinformation may include a resource identifier that identifies a resourceto be used to detect the data exfiltration. The device may determinethat the resource, to be used to detect the data exfiltration, has beenaccessed. The device may identify, based on determining that theresource has been accessed, the file associated with the exfiltrationinformation. The device may perform an action, associated with the file,to counteract the data exfiltration based on determining that theresource has been accessed and based on identifying the file.

According to some possible implementations, a computer-readable mediummay store one or more instructions that, when executed by one or moreprocessors, cause the one or more processors to receive or generateexfiltration information to be used to detect data exfiltration. Theexfiltration information may be associated with a file to be tested todetermine whether the file exfiltrates the exfiltration information. Theexfiltration information may include a resource identifier thatidentifies a resource to be used to detect the data exfiltration. Theone or more instructions may cause the one or more processors todetermine that the resource, to be used to detect the data exfiltration,has been accessed. The one or more instructions may cause the one ormore processors to identify, based on determining that the resource hasbeen accessed, the file associated with the exfiltration information.The one or more instructions may cause the one or more processors toperform an action to counteract the data exfiltration based onidentifying the file.

According to some possible implementations, a method may includereceiving, by a device, exfiltration information to be used to detectdata exfiltration. The exfiltration information may be associated with afile being tested to determine whether the file exfiltrates data. Theexfiltration information may include a resource identifier thatidentifies a resource to be used to detect the data exfiltration. Themethod may include determining, by the device, that the resource, to beused to detect the data exfiltration, has been accessed. The method mayinclude identifying, by the device and based on determining that theresource has been accessed, the file associated with the exfiltrationinformation. The method may include performing, by the device, an actionto counteract the data exfiltration based on determining that that theresource has been accessed and based on identifying the file.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of an overview of an example implementationdescribed herein;

FIG. 2 is a diagram of an example environment in which systems and/ormethods, described herein, may be implemented;

FIG. 3 is a diagram of example components of one or more devices of FIG.2;

FIG. 4 is a flow chart of an example process for detecting dataexfiltration as the data exfiltration occurs;

FIGS. 5A and 5B are diagrams of an example implementation relating tothe example process shown in FIG. 4;

FIGS. 6A and 6B are diagrams of another example implementation relatingto the example process shown in FIG. 4;

FIG. 7 is a flow chart of an example process for detecting dataexfiltration after the data exfiltration occurs; and

FIG. 8 is a diagram of an example implementation relating to the exampleprocess shown in FIG. 7.

DETAILED DESCRIPTION

The following detailed description of example implementations refers tothe accompanying drawings. The same reference numbers in differentdrawings may identify the same or similar elements.

Malicious users may exfiltrate sensitive information stored by acomputing device, such as a server, a personal computer, or the like.For example, a user, who is a target of a malware attack, may download adata exfiltration malware application onto a client device (e.g., acomputer, a mobile phone, etc.), and the application may obtain andtransmit (e.g., may exfiltrate) sensitive information, stored by theclient device, to a device used by the malicious user. In some cases,the client device or a security device (e.g., a firewall, a gateway,etc.) may detect data exfiltration by monitoring outbound traffic forsensitive information. In this way, data exfiltration may be detectedwhen the data is being exfiltrated (e.g., when the data is beingtransmitted from the client device). However, in some cases, the malwareapplication may encrypt the exfiltrated data, making it difficult todetect data exfiltration by monitoring outbound traffic. Implementationsdescribed herein are capable of detecting data exfiltration when thedata is being exfiltrated, and also at a later point in time when theexfiltrated data is used and/or accessed (e.g., after the data has beenexfiltrated). This provides greater protection from data exfiltration.

FIG. 1 is a diagram of an overview of an example implementation 100described herein. As shown in FIG. 1, assume that a security devicereceives a file to be tested for data exfiltration. As further shown,assume that the security device executes the file in a testingenvironment that stores exfiltration information. The exfiltrationinformation may identify a resource that, when accessed, indicates thatdata exfiltration has occurred. For example, the exfiltrationinformation may include a document that includes program code (e.g., ascript) that accesses a resource, an email address that may be used toaccess a resource, a uniform resource identifier (URI) that may be usedto access a resource, or the like. Furthermore, the exfiltrationinformation may be associated with a file identifier that identifies thefile, such that the file that exfiltrated the data can be identifiedwhen the resource is accessed.

As further shown in FIG. 1, the security device may detect dataexfiltration by detecting that the exfiltration information (e.g., adocument, an email address, a URI, etc.) is included in outbound networktraffic (e.g., as plaintext). In this way, the security device maydetect data exfiltration as the data exfiltration occurs. However, insome cases, the security device may not be capable of detecting dataexfiltration as the data exfiltration occurs, such as when theexfiltrated data is encrypted. In this case, an exfiltration detectiondevice (e.g., a server or a similar device) may detect data exfiltrationafter the data exfiltration has occurred.

For example, and as shown, the exfiltration detection device may receivea request to access a resource, identified in the exfiltrationinformation that was exfiltrated by the file, after initial testing ofthe file in the testing environment of the security device. In thiscase, the exfiltration detection device may detect data exfiltration bydetermining that the resource was accessed. Furthermore, since theexfiltration information includes a file identifier that identifies thefile, the exfiltration detection device may identify the file using thefile identifier. In this way, the security device and/or theexfiltration detection device may determine whether a file is a dataexfiltration malware application when data exfiltration occurs and/orafter data exfiltration occurs, thereby increasing the likelihood thatdata exfiltration is detected, and improving security of storedinformation.

FIG. 2 is a diagram of an example environment 200 in which systemsand/or methods, described herein, may be implemented. As shown in FIG.2, environment 200 may include one or more client devices 210-1 through210-N(N≥1) (hereinafter referred to collectively as “client devices210,” and individually as “client device 210”), a security device 220, acustomer network 230, an exfiltration detection device 240, and anetwork 250. Devices of environment 200 may interconnect via wiredconnections, wireless connections, or a combination of wired andwireless connections.

Client device 210 may include one or more devices capable of storinginformation that may be exfiltrated by a data exfiltration malwareapplication. For example, client device 210 may include a desktopcomputer, a laptop computer, a tablet computer, a mobile phone (e.g., asmart phone, a radiotelephone, etc.), a server, or a similar type ofdevice. In some implementations, client device 210 may store sensitiveinformation, such as credit card information, bank information, personalinformation, company information, or the like. In some implementations,client device 210 may reside on customer network 230.

Security device 220 may include one or more devices capable ofprocessing and/or transferring network traffic associated with clientdevice 210, and/or capable of providing a security service (e.g., a dataexfiltration detection service) for client device 210 and/or customernetwork 230. For example, security device 220 may include a gateway, afirewall, a router, a bridge, a hub, a switch, a load balancer, anaccess point, a reverse proxy, a server (e.g., a proxy server), or asimilar type of device. Security device 220 may be used in connectionwith a single client device 210 or a group of client devices 210 (e.g.,client devices 210 associated with a private network, a data center,etc.). In some implementations, communications may be routed throughsecurity device 220 to reach the group of client devices 210. Forexample, security device 220 may be positioned within a network as agateway to customer network 230 that includes the group of clientdevices 210. Additionally, or alternatively, communications from clientdevices 210 may be encoded such that the communications are routed tosecurity device 220 before being routed elsewhere.

In some implementations, security device 220 may detect dataexfiltration (e.g., as the data exfiltration occurs). For example,security device 220 may monitor a file requested by and/or provided toclient device 210 (e.g., before the file is provided to client device210, after the file is provided to client device 210, etc.) to detectwhether the file exfiltrates data. In some implementations, securitydevice 220 may execute the file in a testing environment (e.g., asandbox environment), and may detect whether the file exfiltrates datafrom the testing environment.

Customer network 230 may include one or more wired and/or wirelessnetworks. For example, customer network 230 may include a local areanetwork (LAN), a private network, an intranet, a cloud computingnetwork, a cellular network (e.g., a long-term evolution (LTE) network,a 3G network, a code division multiple access (CDMA) network, etc.), apublic land mobile network (PLMN), a wide area network (WAN), ametropolitan area network (MAN), a telephone network (e.g., the PublicSwitched Telephone Network (PSTN)), an ad hoc network, the Internet, afiber optic-based network, or the like, and/or a combination of these orother types of networks. In some implementations, customer network 230may be a private network associated with client devices 210.

Exfiltration detection device 240 may include one or more devicescapable of processing and/or transferring network traffic associatedwith client device 210, and/or capable of providing a security service(e.g., a data exfiltration detection service) for client device 210and/or customer network 230. For example, exfiltration detection device240 may include a gateway, a firewall, a router, a bridge, a hub, aswitch, a load balancer, a reverse proxy, a server (e.g., a proxyserver), or a similar type of device. In some implementations,exfiltration detection device 240 may detect data exfiltration (e.g.,after the data exfiltration occurs). For example, exfiltration detectiondevice 240 may detect access to a resource, such as a resource stored byexfiltration detection device 240. Access to the resource may indicatethat data exfiltration has occurred. Exfiltration detection device 240may identify a file, associated with the resource access, that hasexfiltrated data. In some implementations, exfiltration detection device240 and security device 220 may be implemented within a single device.

Network 250 may include one or more wired and/or wireless networks. Forexample, network 250 may include a cellular network, a PLMN, a LAN, aWAN, a MAN, a telephone network (e.g., the PSTN), a private network, anad hoc network, an intranet, the Internet, a fiber optic-based network,a cloud computing network, or the like, and/or a combination of these orother types of networks. In some implementations, security device 220and/or exfiltration detection device 240 may monitor a file, requestedby client device 210 from a device (e.g., a server) associated withnetwork 250, to detect whether the file exfiltrates data.

The number and arrangement of devices and networks shown in FIG. 2 areprovided as an example. In practice, there may be additional devicesand/or networks, fewer devices and/or networks, different devices and/ornetworks, or differently arranged devices and/or networks than thoseshown in FIG. 2. Furthermore, two or more devices shown in FIG. 2 may beimplemented within a single device, or a single device shown in FIG. 2may be implemented as multiple, distributed devices. For example,security device 220 and exfiltration detection device 240 may be thesame device. Additionally, or alternatively, security device 220 and/orexfiltration detection device 240 may be implemented within clientdevice 210. Additionally, or alternatively, a set of devices (e.g., oneor more devices) of environment 200 may perform one or more functionsdescribed as being performed by another set of devices of environment200.

FIG. 3 is a diagram of example components of a device 300. Device 300may correspond to client device 210, security device 220, and/orexfiltration detection device 240. In some implementations, clientdevice 210, security device 220, and/or exfiltration detection device240 may include one or more devices 300 and/or one or more components ofdevice 300. As shown in FIG. 3, device 300 may include a bus 310, aprocessor 320, a memory 330, a storage component 340, an input component350, an output component 360, and a communication interface 370.

Bus 310 may include a component that permits communication among thecomponents of device 300. Processor 320 is implemented in hardware,firmware, or a combination of hardware and software. Processor 320 mayinclude a processor (e.g., a central processing unit (CPU), a graphicsprocessing unit (GPU), an accelerated processing unit (APU), etc.), amicroprocessor, and/or any processing component (e.g., afield-programmable gate array (FPGA), an application-specific integratedcircuit (ASIC), etc.) that interprets and/or executes instructions.Memory 330 may include a random access memory (RAM), a read only memory(ROM), and/or another type of dynamic or static storage device (e.g., aflash memory, a magnetic memory, an optical memory, etc.) that storesinformation and/or instructions for use by processor 320.

Storage component 340 may store information and/or software related tothe operation and use of device 300. For example, storage component 340may include a hard disk (e.g., a magnetic disk, an optical disk, amagneto-optic disk, a solid state disk, etc.), a compact disc (CD), adigital versatile disc (DVD), a floppy disk, a cartridge, a magnetictape, and/or another type of computer-readable medium, along with acorresponding drive.

Input component 350 may include a component that permits device 300 toreceive information, such as via user input (e.g., a touch screendisplay, a keyboard, a keypad, a mouse, a button, a switch, amicrophone, etc.). Additionally, or alternatively, input component 350may include a sensor for sensing information (e.g., a global positioningsystem (GPS) component, an accelerometer, a gyroscope, an actuator,etc.). Output component 360 may include a component that provides outputinformation from device 300 (e.g., a display, a speaker, one or morelight-emitting diodes (LEDs), etc.).

Communication interface 370 may include a transceiver-like component(e.g., a transceiver, a separate receiver and transmitter, etc.) thatenables device 300 to communicate with other devices, such as via awired connection, a wireless connection, or a combination of wired andwireless connections. Communication interface 370 may permit device 300to receive information from another device and/or provide information toanother device. For example, communication interface 370 may include anEthernet interface, an optical interface, a coaxial interface, aninfrared interface, a radio frequency (RF) interface, a universal serialbus (USB) interface, a Wi-Fi interface, a cellular network interface, orthe like.

Device 300 may perform one or more processes described herein. Device300 may perform these processes in response to processor 320 executingsoftware instructions stored by a computer-readable medium, such asmemory 330 and/or storage component 340. A computer-readable medium isdefined herein as a non-transitory memory device. A memory deviceincludes memory space within a single physical storage device or memoryspace spread across multiple physical storage devices.

Software instructions may be read into memory 330 and/or storagecomponent 340 from another computer-readable medium or from anotherdevice via communication interface 370. When executed, softwareinstructions stored in memory 330 and/or storage component 340 may causeprocessor 320 to perform one or more processes described herein.Additionally, or alternatively, hardwired circuitry may be used in placeof or in combination with software instructions to perform one or moreprocesses described herein. Thus, implementations described herein arenot limited to any specific combination of hardware circuitry andsoftware.

The number and arrangement of components shown in FIG. 3 are provided asan example. In practice, device 300 may include additional components,fewer components, different components, or differently arrangedcomponents than those shown in FIG. 3. Additionally, or alternatively, aset of components (e.g., one or more components) of device 300 mayperform one or more functions described as being performed by anotherset of components of device 300.

FIG. 4 is a flow chart of an example process 400 for detecting dataexfiltration as the data exfiltration occurs. In some implementations,one or more process blocks of FIG. 4 may be performed by security device220. In some implementations, one or more process blocks of FIG. 4 maybe performed by another device or a set of devices separate from orincluding security device 220, such as client device 210 and/orexfiltration detection device 240.

As shown in FIG. 4, process 400 may include receiving a file to betested for data exfiltration (block 410). For example, security device220 may receive a file (e.g., an executable file, an application, aprogram, etc.) to be tested for data exfiltration. In someimplementations, the file may be associated with client device 210(e.g., may be stored by client device 210, may be executing on clientdevice 210, may be requested by client device 210, etc.). As an example,client device 210 may request a file (e.g., from a website, via an emaillink, etc.), and security device 220 may receive and/or test the filebefore the file is provided to client device 210. In someimplementations, security device 220 may test the file in a testingenvironment, such as a sandbox environment.

As further shown in FIG. 4, process 400 may include generating and/orstoring exfiltration information to be used to detect data exfiltration,the exfiltration information being associated with the file andidentifying a resource to be accessed (block 420). For example, securitydevice 220 may generate and/or store exfiltration information to be usedto detect data exfiltration. The exfiltration information may identify aresource (e.g., using a resource identifier) that, when accessed,indicates that data has been exfiltrated. In some implementations,security device 220 may provide the exfiltration information toexfiltration detection device 240 to permit exfiltration detectiondevice 240 to create the resource to be accessed. In this way,exfiltration detection device 240 may use the resource to detect dataexfiltration after the data exfiltration has occurred, as described inmore detail elsewhere herein.

As an example, the resource identifier may include an email address(e.g., associated with a mail server that, when accessed, indicates dataexfiltration), a uniform resource identifier (URI) (e.g., a uniformresource locator (URL) that identifies a website, a URI that identifiesa file transfer protocol (FTP) resource, a URI that identifies ahypertext transfer protocol (HTTP) resource, a URI that identifies afile, etc.), a phone number (e.g., associated with a voice over Internetprotocol (VoIP) phone that, when called, indicates that data has beenexfiltrated), a device identifier (e.g., a network address, such as anInternet protocol (IP) address, that identifies a device that, whenaccessed, indicates data exfiltration), a port identifier (e.g., a portnumber that identifies a port of a device that, when accessed, indicatesdata exfiltration), a social media message endpoint identifier (e.g.,that identifies a resource where social media messages may be sent), orthe like. Additionally, or alternatively, the exfiltration informationmay include program code (e.g., a script, or the like) that, whenexecuted, causes a resource to be accessed to indicate that data hasbeen exfiltrated. The program code may include a resource identifierthat identifies the resource. Additionally, or alternatively, theexfiltration information may include a sequence of keystrokes (e.g.,emulated by security device 220), a sequence of characters, a sequenceof input events (e.g., different types of mouse clicks, etc.) that areinput while the testing environment is executed.

Additionally, or alternatively, the exfiltration information may includeinformation designed to appear to be sensitive information. For example,the exfiltration information may include information designed to looklike a credential (e.g., a username, a password, a personalidentification number (PIN), etc.), a credit card number, a bank accountnumber, confidential company information, personal information (e.g., aname, address, date of birth, social security number, etc.), or thelike. In this way, security device 220 may increase the likelihood ofdata exfiltration.

In some implementations, the resource may be associated with and/orstored by exfiltration detection device 240. In this way, when theresource is accessed, exfiltration detection device 240 may detect thatdata exfiltration has occurred, as described in more detail elsewhereherein.

In some implementations, security device 220 may store the exfiltrationinformation in a testing environment (e.g., associated with a virtualmachine) of security device 220. Additionally, or alternatively,security device 220 may store the exfiltration information using astored document (e.g., a text document, a word processing document, aspreadsheet document, a portable document format (PDF) document, etc.),using a stored credential (e.g., stored using a browser, stored using anoperating system, etc.), using a stored URI (e.g., using a web browserhistory, a web browser bookmark, a web browser favorite, etc.), using astored application (e.g., stored in a most recently used applicationhistory, a favorite application, an administrator application, etc.),using contact information (e.g., an address book), using a system file(e.g., an operating system host file, an administrator file, etc.), orthe like.

The exfiltration information may be associated with the file that wasreceived for testing by security device 220. In some implementations,the exfiltration information may include a file identifier thatidentifies the file. For example, the exfiltration information may beencoded with a file identifier that identifies the file, such as a hashvalue of the file (e.g., generated by applying a hash algorithm to thefile), a file name of the file, or the like. As an example, executingprogram code included in a document with exfiltration information maycause a file identifier to be sent to exfiltration detection device 240.As another example, the file identifier may be included in an emailaddress, a URI, a social media message endpoint identifier, or the like.In some implementations, security device 220 may apply steganography toobfuscate the file identifier. For example, security device 220 mayselect random words (e.g., from a stored dictionary), corresponding toeach letter of the file name, and may generate the file identifier basedon the random words (e.g., by concatenating the random words).

Additionally, or alternatively, security device 220 (or another device)may store, in a data structure, a relationship indicator that indicatesa relationship between the exfiltration information (and/or a resourceidentifier included in the exfiltration information) and the file. Inthis way, exfiltration detection device 240 may use the exfiltrationinformation and/or the resource identifier to identify the file thatexfiltrated the exfiltration information, as described in more detailelsewhere herein.

In some implementations, exfiltration information may be generatedand/or stored by client device 210. For example, client device 210 maystore exfiltration information (e.g., at the instruction of securitydevice 220) in a location in which a user of client device 210 isunlikely to access the exfiltration information (e.g., in a systemfolder, in a registry file, in a recycling bin, etc.).

As further shown in FIG. 4, process 400 may include executing the file(block 430), and monitoring outbound network traffic for theexfiltration information (block 440). For example, security device 220may execute the file (e.g., in the testing environment). After executingthe file, security device 220 may monitor outbound network traffic(e.g., traffic that leaves security device 220 and/or the testingenvironment). In some implementations, security device 220 may monitoroutbound network traffic for a threshold amount of time (e.g., oneminute, five minutes, ten minutes, thirty minutes, one hour, one day,etc.).

As further shown in FIG. 4, process 400 may include determining whetherthe exfiltration information is detected in the outbound network traffic(block 450). For example, security device 220 may monitor outboundnetwork traffic to detect whether the outbound network traffic includesthe exfiltration information (e.g., a resource identifier, informationdesigned to appear to be sensitive information, etc.). In someimplementations, security device 220 may monitor outbound networktraffic for plaintext that matches text of the exfiltration information(e.g., text corresponding to a resource identifier, text correspondingto sensitive information, etc.).

As further shown in FIG. 4, if the exfiltration information is detectedin the outbound network traffic (block 450—YES), then process 400 mayinclude performing an action to counteract data exfiltration (block460). For example, if security device 220 detects the exfiltrationinformation in the outbound network traffic, then security device 220may perform an action to counteract data exfiltration. In someimplementations, security device 220 may counteract data exfiltration byidentifying the file as suspicious. In this case, security device 220may store a malware indicator, in association with the file, thatindicates that the file is suspicious (e.g., is malware). In this way,security device 220 and/or another device may use the malware indicatorto identify the file as malware, and may perform an action to counteractthe malware.

Additionally, or alternatively, security device 220 may counteract dataexfiltration by identifying the file (e.g., in memory) and deleting thefile from memory. In this way, security device 220 may prevent the filefrom exfiltrating data.

As another example, assume that client device 210 requests the file froma device associated with network 250 (e.g., a web server, a host server,etc.). In this case, security device 220 may receive the request, mayrequest the file from the device, may receive the file from the device,and may detect whether the file exfiltrates data before sending the fileto client device 210. If security device 220 determines that the fileexfiltrates data (e.g., based on performing one or more of theoperations described in connection with blocks 410-450), security device220 may counteract data exfiltration by preventing the file from beingprovided to client device 210. If security device 220 determines thatthe file does not exfiltrate data, then security device 220 may providethe file to client device 210. In this way, security device 220 mayprevent a malicious file from exfiltrating data.

In some implementations, if security device 220 determines that the fileexfiltrates data, then security device 220 may counteract dataexfiltration by monitoring the file (e.g., by monitoring communicationssent by the file) to identify a device to which exfiltration informationis being sent (e.g., to identify a command and control server). In thiscase, security device 220 may block communications associated with thedevice, may provide an instruction to client device 210 and/or anotherdevice associated with customer network 230 (e.g., a firewall, a router,a gateway, etc.) to block communications associated with the device(e.g., to block communications to and/or from the device), or the like.In this way, security device 220 may prevent a malicious file fromexfiltrating data.

Additionally, or alternatively, security device 220 may provide anotification that identifies client devices 210 that are communicatingwith the device (e.g., the command and control server) to identify andprotect these client devices 210. In this way, security device 220 mayprotect client devices 210, of customer network 230, from securitythreats.

As further shown in FIG. 4, if the exfiltration information is notdetected in the outbound network traffic (block 450—NO), then process400 may include performing an action to permit the file to be accessed(block 470). For example, if security device 220 does not detect theexfiltration information in the outbound network traffic (e.g., aftermonitoring the outbound network traffic for a threshold amount of time),then security device 220 may perform an action to permit the file to beaccessed. In some implementations, security device 220 may permit thefile to be accessed by identifying the file as unsuspicious. In thiscase, security device 220 may store a malware indicator, in associationwith the file, that indicates that the file is unsuspicious (e.g., isnot malware).

As another example, assume that client device 210 requests the file froma device associated with network 250 (e.g., a web server, a host server,etc.). In this case, security device 220 may receive the request, mayrequest the file from the device, may receive the file from the device,and may detect whether the file exfiltrates data before sending the fileto client device 210. If security device 220 determines that the filedoes not exfiltrate data (e.g., based on performing one or more of theoperations described in connection with blocks 410-450), security device220 may permit the file to be accessed by providing the file to clientdevice 210. In this way, security device 220 may protect client devices210, of customer network 230, from security threats.

In some implementations, security device 220 may not detect theexfiltration information in the outbound network traffic because theexfiltration information has been encrypted before being transmitted.Additionally, or alternatively, security device 220 may not detect theexfiltration information in the outbound network traffic because thefile transmits the exfiltration information after the threshold amountof time for monitoring outbound network traffic has elapsed. Asdescribed in more detail elsewhere herein, security device 220 and/orexfiltration detection device 240 may still detect data exfiltration inthese cases by detecting the data exfiltration after the dataexfiltration has occurred.

As further shown in FIG. 4, process 400 may include providing and/orstoring the exfiltration information (block 480). For example, securitydevice 220 may store the exfiltration information (e.g., in a memorylocal to security device 220), and/or may provide the exfiltrationinformation to another device, such as exfiltration detection device240. In some implementations, security device 220 may store theexfiltration information and/or provide the exfiltration information toexfiltration detection device 240 when the exfiltration information isgenerated, as described above in connection with block 420.Additionally, or alternatively, security device 220 may store theexfiltration information and/or provide the exfiltration information toexfiltration detection device 240 after failing to detect theexfiltration information in the outbound network traffic. In this way,security device 220 may conserve computing resources (e.g., memory)and/or network resources by only providing the exfiltration information,for detection of data exfiltration, if security device 220 fails todetect data exfiltration.

Security device 220 and/or exfiltration detection device 240 may use theexfiltration information to create a resource accessible to detect dataexfiltration, as described in more detail in connection with FIG. 6. Inthis way, security device 220 may detect data exfiltration as the dataexfiltration occurs. Furthermore, and as described in more detail inconnection with FIG. 6, security device 220 and/or exfiltrationdetection device 240 may continue to monitor a resource, associated withthe exfiltration information, to determine whether the resource has beenaccessed. When the resource is accessed, this may indicate that data hasbeen exfiltrated. In this way, security device 220 and/or exfiltrationdetection device 240 may detect data exfiltration as the dataexfiltration occurs and/or after the data exfiltration occurs (e.g.,when the exfiltrated data is accessed or used).

Although FIG. 4 shows example blocks of process 400, in someimplementations, process 400 may include additional blocks, fewerblocks, different blocks, or differently arranged blocks than thosedepicted in FIG. 4. Additionally, or alternatively, two or more of theblocks of process 400 may be performed in parallel.

FIGS. 5A and 5B are diagrams of an example implementation 500 relatingto example process 400 shown in FIG. 4. FIGS. 5A and 5B show an exampleof detecting data exfiltration as the data exfiltration occurs.

As shown in FIG. 5A, and by reference number 510, assume that securitydevice 220 receives a file, shown as “File A,” to be tested for dataexfiltration. Based on receiving File A, assume that security device 220loads a testing environment for testing File A, as shown by referencenumber 520. As further shown, security device 220 may store exfiltrationinformation in the testing environment. For example, and as shown byreference number 530, security device 220 may store a document, shown as“Document A,” in a documents folder of the testing environment. Thedocument, when opened, may cause execution of a code snippet thataccesses a resource, indicating that Document A has been accessed (e.g.,by a malicious user). In other words, Document A may access a resource(e.g., by sending a message to the resource), and may include a fileidentifier that identifies File A. The file identifier may be includedin the notification to identify that File A exfiltrated data.

As another example, and as shown by reference number 540, securitydevice 220 may store email addresses in a contact list. When a messageis sent to one of the email addresses, this may indicate that dataexfiltration has occurred (e.g., exfiltration of an email address).Security device 220 may generate the email addresses to include a fileidentifier that identifies file A (e.g., userA@email.com,joeA@schmo.com, FileA@detector.com, etc.). In this way, when an emailmessage is received at a particular email address, a device thatreceived the email message (e.g., exfiltration detection device 240) cancorrelate the email address to the file that exfiltrated data.

As another example, and as shown by reference number 550, securitydevice 220 may store a list of URLs in a web favorites folder. Whenaccess to one of the URLs is requested, this may indicate that dataexfiltration has occurred (e.g., exfiltration ofa URL). Security device220 may generate the URL to include a file identifier that identifiesfile A (e.g., www.exampleA.com, www.mysiteA.com, www.fileAhash.com,etc.). In this way, when a request to access a resource identified bythe URL is received, a device that received the request (e.g.,exfiltration detection device 240) can correlate the URL to the filethat exfiltrated data.

As shown in FIG. 5B, assume that after loading the testing environmentand storing the generated exfiltration information, security device 220executes File A, as shown by reference number 560. After executing FileA, assume that security device 220 monitors outbound traffic for tenminutes, as shown by reference number 570. For example, assume thatsecurity device 220 reads packet information included in packets shownas “Packet A,” “Packet B,” and “Packet C.” As shown by reference number580, assume that Packet C includes the plaintext “userA@email.com,”which corresponds to an email address stored in the testing environment.As shown by reference number 590, based on detecting this dataexfiltration, assume that security device 220 stores a malware indicatorthat indicates that File A is malware (e.g., is a data exfiltrationmalware application). Additionally, or alternatively, security device220 may perform an action to counteract File A, such as preventing aclient device 210 that requested File A from receiving File A.

As indicated above, FIGS. 5A and 5B are provided merely as an example.Other examples are possible and may differ from what was described withregard to FIGS. 5A and 5B.

FIGS. 6A and 6B are diagrams of another example implementation 600relating to example process 400 shown in FIG. 4. FIGS. 6A and 6B show anexample of failing to detect data exfiltration as the data exfiltrationoccurs, and sending exfiltration information to another device fordetecting data exfiltration after the data exfiltration occurs.

As shown in FIG. 6A, and by reference number 610, assume that securitydevice 220 receives a file, shown as “File B,” to be tested for dataexfiltration. Based on receiving File B, assume that security device 220loads a testing environment for testing File B, as shown by referencenumber 620. As further shown, security device 220 may store exfiltrationinformation in the testing environment. For example, and as shown byreference number 630, security device 220 may store a document (e.g.,Document B) that, when accessed, causes execution of a code snippet thataccesses a resource, indicating that File B has exfiltrated data (e.g.,the document). As another example, and as shown by reference number 640,security device 220 may store email addresses (e.g., userB@email.com,joeB@schmo.com, FileB@detector.com, etc.) that, when used to access aresource, indicate that File B has exfiltrated data (e.g., the emailaddresses). As another example, and as shown by reference number 650,security device 220 may store a list of URLs (e.g., www.exampleB.com,www.mysiteB.com, www.fileBhash.com, etc.) that, when used to access aresource, indicate that File B has exfiltrated data (e.g., the URLs).

As shown in FIG. 6B, assume that after loading the testing environmentand storing the generated exfiltration information, security device 220executes File B, as shown by reference number 660. After executing FileB, assume that security device 220 monitors outbound traffic for tenminutes, as shown by reference number 670. For example, assume thatsecurity device 220 reads packet information included in packets shownas “Packet D,” “Packet E,” and “Packet F.” As shown by reference number680, assume that security device 220 fails to detect data exfiltrationby monitoring the outbound network traffic. For example, security device220 may fail to detect data exfiltration because data exfiltration didnot occur, because the network traffic was encrypted or otherwiseobscured, or because the data exfiltration occurred after securitydevice 220 stopped monitoring the network traffic. As shown by referencenumber 690, based on failing to detect data exfiltration, assume thatsecurity device 220 stores a malware indicator that indicates that FileB is not malware (e.g., is not a data exfiltration malware application).Additionally, or alternatively, security device 220 may permit File B tobe accessed (e.g., by client device 210). Furthermore, assume thatsecurity device 220 provides the generated exfiltration information toexfiltration detection device 240, which may use the exfiltrationinformation to detect data exfiltration, as described in more detailbelow.

As indicated above, FIGS. 6A and 6B are provided merely as an example.Other examples are possible and may differ from what was described withregard to FIGS. 6A and 6B.

FIG. 7 is a flow chart of an example process 700 for detecting dataexfiltration after the data exfiltration occurs. In someimplementations, one or more process blocks of FIG. 7 may be performedby exfiltration detection device 240. In some implementations, one ormore process blocks of FIG. 7 may be performed by another device or aset of devices separate from or including exfiltration detection device240, such as client device 210 and/or security device 220.

As shown in FIG. 7, process 700 may include identifying exfiltrationinformation (block 710). For example, exfiltration detection device 240may identify the exfiltration information by receiving the exfiltrationinformation (e.g., from security device 220) and/or by generating theexfiltration information (e.g., when security device 220 andexfiltration detection device 240 are implemented within a singledevice). In some implementations, exfiltration detection device 240 mayreceive the exfiltration information (e.g., from security device 220)when the exfiltration information is generated by security device 220.Additionally, or alternatively, exfiltration detection device 240 mayreceive the exfiltration information (e.g., from security device 220)after security device 220 fails to detect the exfiltration informationin outbound network traffic.

Exfiltration detection device 240 may use the exfiltration informationto create a resource accessible to detect data exfiltration. Forexample, the exfiltration information may include a resource identifierthat identifies a resource, and exfiltration detection device 240 maycreate the identified resource to permit the identified resource to beaccessed based on exfiltrated data (e.g., when the exfiltrationinformation is exfiltrated and used). As an example, the resourceidentifier may include an email address, and exfiltration detectiondevice 240 may generate a mail server (e.g., a virtual mail server)accessible via the email address (e.g., a message may be sent to theemail address). As another example, the resource identifier may includea URI, and exfiltration detection device 240 may generate a resourceaccessible via the URI (e.g., a website, a webpage, or the like).

As further shown in FIG. 7, process 700 may include determining that aresource, associated with the exfiltration information, has beenaccessed (block 720). For example, exfiltration detection device 240 maydetermine that a resource has been accessed (e.g., a resource associatedwith program code, an email address, a URI, a phone number, a deviceidentifier, a port identifier, a social media message endpointidentifier, etc.). In some implementations, the resource may be storedby and/or accessible via exfiltration detection device 240. Because theresource is identified by a resource identifier included in exfiltrationinformation used to test whether a file has exfiltrated data, access tothe resource may indicate that the exfiltration information has beenexfiltrated, and that the file is malware (e.g., a data exfiltrationmalware application).

As further shown in FIG. 7, process 700 may include identifying a fileassociated with the exfiltration information (block 730). For example,exfiltration detection device 240 may use the exfiltration informationto identify a file that exfiltrated the exfiltration information. Insome implementations, the exfiltration information may include a fileidentifier that identifies the file. For example, the resourceidentifier may include the file identifier (e.g., a hash value generatedby applying a hash algorithm to the file, a file name, etc.). In someimplementations, exfiltration detection device 240 may decode the fileidentifier (e.g., a hash value) to identify the file.

Additionally, or alternatively, exfiltration detection device 240 maysearch a data structure, using the exfiltration information (e.g., aresource identifier included in the exfiltration information) toidentify the file. As an example, the data structure may store arelationship indicator that indicates a relationship between a resourceidentifier and the file. When a resource, identified by the resourceidentifier, is accessed, exfiltration detection device 240 may use thedata structure to identify a file that shares a relationship with theresource identifier (e.g., based on a relationship indicator). In someimplementations, exfiltration detection device 240 may store the datastructure. Additionally, or alternatively, another device (e.g.,security device 220) may store the data structure.

As further shown in FIG. 7, process 700 may include performing an actionto counteract data exfiltration (block 740). For example, ifexfiltration detection device 240 detects that the resource has beenaccessed, then exfiltration detection device 240 may perform an actionto counteract data exfiltration, as described above in connection withblock 460 of FIG. 4. In some implementations, exfiltration detectiondevice 240 may counteract data exfiltration by identifying the file assuspicious (e.g., using a malware indicator). In this case, the file mayhave previously been identified as unsuspicious due to a failure bysecurity device 220 to detect the data exfiltration. As such,exfiltration detection device 240 may update a stored malware indicator,associated with the file, from an indication that the file isunsuspicious to an indication that the file is suspicious. In this way,security device 220 and/or another device may use the malware indicatorto identify the file as malware, and may perform an action to counteractthe suspicious file.

Additionally, or alternatively, exfiltration detection device 240 maycounteract data exfiltration by providing a notification to clientdevice(s) 210 that received the file (e.g., due to the file beingidentified as unsuspicious). The notification may indicate that the fileis malware, and may cause client device(s) 210 to perform an action tocounteract the file (e.g., delete the file, prevent the file fromsending messages, etc.). In this case, security device 220 and/orexfiltration detection device 240 may store information that identifiesclient device(s) 210 to which the file has been provided, and may usethis information to identify client device(s) 210 to which thenotification is to be sent.

In this way, exfiltration detection device 240 may detect dataexfiltration after the data exfiltration occurs (e.g., when theexfiltrated data is accessed or used). For example, exfiltrationdetection device 240 may detect data exfiltration that security device220 failed to detect (e.g., using process 400 of FIG. 4) due to theexfiltration information being encrypted and/or due to a time delaybefore the exfiltration information is exfiltrated.

Although FIG. 7 shows example blocks of process 700, in someimplementations, process 700 may include additional blocks, fewerblocks, different blocks, or differently arranged blocks than thosedepicted in FIG. 7. Additionally, or alternatively, two or more of theblocks of process 700 may be performed in parallel.

FIG. 8 is a diagram of an example implementation 800 relating to exampleprocess 700 shown in FIG. 7. FIG. 8 shows an example of detecting dataexfiltration after the data exfiltration has occurred. For the purposeof FIG. 8, assume that the operations described herein in connectionwith FIGS. 6A and 6B have been performed. In other words, assume thatsecurity device 220 has failed to detect data exfiltration inassociation with File B.

As shown in FIG. 8, and by reference number 810, assume thatexfiltration detection device 240 receives exfiltration information andgenerates resources based on resource identifiers included in theexfiltration information. For example, assume that exfiltrationdetection device 240 sets up a mail server for receiving emailassociated with the email address of “userB@email.com.” As shown byreference number 820, assume that exfiltration detection device 240receives an email message at the email address “userB@email.com.” Forexample, assume that File B has exfiltrated this email address, and at alater time, a malicious user and/or a device associated with a malicioususer has sent an email message to this email address.

As shown by reference number 830, assume that exfiltration detectiondevice 240 identifies File B using the email address, thereby indicatingthat File B exfiltrated the email address. For example, and as shown,exfiltration detection device 240 may identify File B using text fromthe email address (e.g., which uses the “B” from the file name of “FileB”), or may identify File B using a data structure that correlates theemail address to File B. As shown by reference number 840, based onidentifying File B as a data exfiltration malware application,exfiltration detection device 240 updates a malware indicator,associated with File B, to indicate that File B is malware.Additionally, or alternatively, exfiltration detection device 240 mayperform an action to counteract File B, such as notifying a clientdevice 210 that previously accessed (e.g., downloaded, stored, executed,etc.) File B that File B is malware. In this way, exfiltration detectiondevice 240 may assist in detecting data exfiltration after the dataexfiltration has occurred (e.g., when the exfiltrated data is beingaccessed and/or used).

As indicated above, FIG. 8 is provided merely as an example. Otherexamples are possible and may differ from what was described with regardto FIG. 8.

Implementations described herein assist in detecting data exfiltrationas the data exfiltration occurs and/or after the data exfiltrationoccurs. In this way, the likelihood of detecting data exfiltrationincreases, thereby providing better information security.

The foregoing disclosure provides illustration and description, but isnot intended to be exhaustive or to limit the implementations to theprecise form disclosed. Modifications and variations are possible inlight of the above disclosure or may be acquired from practice of theimplementations.

As used herein, the term component is intended to be broadly construedas hardware, firmware, and/or a combination of hardware and software.

Some implementations are described herein in connection with thresholds.As used herein, satisfying a threshold may refer to a value beinggreater than the threshold, more than the threshold, higher than thethreshold, greater than or equal to the threshold, less than thethreshold, fewer than the threshold, lower than the threshold, less thanor equal to the threshold, equal to the threshold, etc.

It will be apparent that systems and/or methods, described herein, maybe implemented in different forms of hardware, firmware, or acombination of hardware and software. The actual specialized controlhardware or software code used to implement these systems and/or methodsis not limiting of the implementations. Thus, the operation and behaviorof the systems and/or methods were described herein without reference tospecific software code—it being understood that software and hardwarecan be designed to implement the systems and/or methods based on thedescription herein.

Even though particular combinations of features are recited in theclaims and/or disclosed in the specification, these combinations are notintended to limit the disclosure of possible implementations. In fact,many of these features may be combined in ways not specifically recitedin the claims and/or disclosed in the specification. Although eachdependent claim listed below may directly depend on only one claim, thedisclosure of possible implementations includes each dependent claim incombination with every other claim in the claim set.

No element, act, or instruction used herein should be construed ascritical or essential unless explicitly described as such. Also, as usedherein, the articles “a” and “an” are intended to include one or moreitems, and may be used interchangeably with “one or more.” Furthermore,as used herein, the terms “group” and “set” are intended to include oneor more items (e.g., related items, unrelated items, a combination ofrelated items and unrelated items, etc.), and may be usedinterchangeably with “one or more.” Where only one item is intended, theterm “one” or similar language is used. Also, as used herein, the terms“has,” “have,” “having,” or the like are intended to be open-endedterms. Further, the phrase “based on” is intended to mean “based, atleast in part, on” unless explicitly stated otherwise.

1-20. (canceled)
 21. A method comprising: identifying, by a device, apolicy; implementing, by the device, the policy based on identifying thepolicy; determining, by the device and based on implementing the policy,a quantity of premature expirations of an adjustment interval, abandwidth reservation of a label-switched path being adjusted at anexpiration of the adjustment interval; and determining, by the deviceand based on determining the quantity of premature expirations of theadjustment interval, an updated policy that reduces the quantity ofpremature expirations of the adjustment interval.
 22. The method ofclaim 21, further comprising: receiving information that identifiesnetwork traffic behavior associated with the label-switched path, whereidentifying the policy comprises: determining the policy based on theinformation that identifies the network traffic behavior associated withthe label-switched path.
 23. The method of claim 21, further comprising:determining a sample interval value and an adjustment interval value,where identifying the policy comprises: determining the policy based onthe sample interval value and the adjustment interval value.
 24. Themethod of claim 21, further comprising: analyzing network trafficbehavior associated with the label-switched path, where identifying thepolicy comprises: determining the policy based on analyzing the networktraffic behavior associated with the label-switched path and a modelassociated with the label-switched path.
 25. The method of claim 21,where the policy is a first policy, where the label-switched path is afirst label-switched path, where the method further comprises:identifying a second policy for a second label-switched path, and wherethe second policy is different from the first policy.
 26. The method ofclaim 21, further comprising: determining multiple policies for thelabel-switched path, where identifying the policy comprises: identifyingthe policy as a particular policy, of the multiple policies, to beimplemented based on a time of day.
 27. The method of claim 21, furthercomprising: providing, to an ingress routing device, one or moreinstructions that cause the ingress routing device to implement theupdated policy.
 28. A system comprising: a memory; and one or moreprocessors to: identify a policy; determine, based on the policy, aquantity of premature expirations of an adjustment interval, a bandwidthreservation of a label-switched path being adjusted at an expiration ofthe adjustment interval; and determine, based on determining thequantity of premature expirations of the adjustment interval, an updatedpolicy that reduces the quantity of premature expirations of theadjustment interval.
 29. The system of claim 28, where the one or moreprocessors are further to: receive information that identifies networktraffic behavior associated with the label-switched path, and where,when identifying the policy, the one or more processors are to:determine the policy based on the information that identifies thenetwork traffic behavior associated with the label-switched path. 30.The system of claim 28, where the one or more processors are further to:determine a sample interval value and an adjustment interval value, andwhere, when identifying the policy, the one or more processors are to:determine the policy based on the sample interval value and theadjustment interval value.
 31. The system of claim 28, where the one ormore processors are further to: analyze network traffic behaviorassociated with the label-switched path, and where, when identifying thepolicy, the one or more processors are to: determine the policy based onanalyzing the network traffic behavior associated with thelabel-switched path and a model associated with the label-switched path.32. The system of claim 28, where the policy is a first policy, wherethe label-switched path is a first label-switched path, where the one ormore processors are further to: identify a second policy for a secondlabel-switched path, and where the second policy is different from thefirst policy.
 33. The system of claim 28, where the one or moreprocessors are further to: determine multiple policies for thelabel-switched path, and where, when identifying the policy, the one ormore processors are to: identify the policy as a particular policy, ofthe multiple policies, to be implemented based on a time of day.
 34. Thesystem of claim 28, where the one or more processors are further to:provide, to an ingress routing device, one or more instructions thatcause the ingress routing device to implement the updated policy.
 35. Anon-transitory computer-readable medium storing instructions, theinstructions comprising: one or more instructions that, when executed byat least one processor, cause the at least one processor to: identify apolicy; determine, based on the policy, a quantity of prematureexpirations of an adjustment interval, a bandwidth reservation of alabel-switched path being adjusted at an expiration of the adjustmentinterval; and determine, based on determining the quantity of prematureexpirations of the adjustment interval, an updated policy that reducesthe quantity of premature expirations of the adjustment interval. 36.The non-transitory computer-readable medium of claim 35, where the oneor more instructions further cause the at least one processor to:receive information that identifies network traffic behavior associatedwith the label-switched path, and where the one or more instructions toidentify the policy cause the at least one processor to: determine thepolicy based on the information that identifies the network trafficbehavior associated with the label-switched path.
 37. The non-transitorycomputer-readable medium of claim 35, where the one or more instructionsfurther cause the at least one processor to: determine a sample intervalvalue and an adjustment interval value, and where the one or moreinstructions to identify the policy cause the at least one processor to:determine the policy based on the sample interval value and theadjustment interval value.
 38. The non-transitory computer-readablemedium of claim 35, where the one or more instructions further cause theat least one processor to: analyze network traffic behavior associatedwith the label-switched path, and where the one or more instructions toidentify the policy cause the at least one processor to: determine thepolicy based on analyzing the network traffic behavior associated withthe label-switched path and a model associated with the label-switchedpath.
 39. The non-transitory computer-readable medium of claim 35, wherethe policy is a first policy, where the label-switched path is a firstlabel-switched path, where the one or more instructions to identify thepolicy cause the at least one processor to: identify a second policy fora second label-switched path, and where the second policy is differentfrom the first policy.
 40. The non-transitory computer-readable mediumof claim 35, where the one or more instructions further cause the atleast one processor to: determine multiple policies for thelabel-switched path, and where the one or more instructions to identifythe policy cause the at least one processor to: identify the policy as aparticular policy, of the multiple policies, to be implemented based ona time of day.